Posted: Wed 16 Apr 2014, 21:51 Post subject:
Is a Frugal install as secure as...Subject description: Is it secure as running a live session from a CD

Hi

I'm a novice linux user. while on the internet, is using a frugal install of puppy linux with an encrypted pup save file as secure as running puppy off of a CD as a live session and saving to a flash drive? Is it more secure than a conventional, full, install. This would be for internet banking and regular net surfing, no risky online behaviour or anything. Thanks in advance for the help. Happy Easter!

An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.

I try to keep all data/files/music etc completely outside of Puppy. That way I don't need a savefile at all, nor do I need to install anything on the PC's HD.

I boot from a CD/DVD and run everything in memory (RAM). That way I have a fixed pristine version of the operating system and desktop/GUI and don't even need to open up (mount) the HD unless I want to read or write something from/to the HD (my data area).

For online banking I boot up and load a brand new Firefox, go only to my banks web site and power-down (reboot) afterwards.

For other 'normal' sessions I just boot up and do whatever, maybe adding to or using some HD access (data) and browse the net etc.

If puppy trashes, my data is secure, intact and accessible (I back that data up periodically).

For the above purpose, I have a trimmed down puppy slacko (trimmed version of mick0's 5.3.3t) that has a 67MB Puppy SFS file size (small). But I also have another 193MB of 'extras' in a EXTRA sub-directory/folder on that CD/DVD. Total ISO size is 290MB (would be around 97MB without the EXTRA folder content).

It's UK specific i.e. the onscreen keyboard is set to be UK and AbiWord is set to use a en-GB dictionary, but if you like you can download it from here :

Its fully functional, but in layers. Initially at the first boot you'll have to enter locale details etc, connect to the network, set up firewall (SET UP/FIREWALL), set up sound (SET UP/ALSA SOUND/ALSA WIZARD). Then you'll have a basic desktop, play/burn CD's, MPEG's, basic text editor and calculator etc.

If you go to the HOME directory there's a couple of firefox icons, Firefox and Firefox_Bank. The only difference is the first starts up with some extensions/add-ons being loaded (NoScript, Flash Block, Zoom) whilst the other doesn't. In both cases the first time either is run it auto downloads the latest version of firefox from Mozilla. Typically the download is around 30MB which on my 50Mb internet connection speed takes just seconds.

Within the SFS's subdirectory there are loadxxx files, which I use to load either/any of flash, abiword/gnumeric (word processor and spreadsheet) and a Multi-Media (MM) - which contains Openshot (video editor), xvidcap (screen video capture) and Audacity (sound editor), together with inkscape (draw program), blender (3D animation).

Whilst Openshot will work in a limited way without graphics acceleration, for 3D/animated titles you do need graphics acceleration. That varies according to the type of graphics card you have and accordingly there are two choices in the EXTRA graphics-card sub-directory - one for nvidia, another for mesa. I have a nvidia graphics card so I use that (which involves having to restart X after loading and selecting the NVIDIA choice from within xorgwizard).

You could perhaps use the above as a template/guide to remaster your own version. A nice thing about running entirely from CD/RAM is that it doesn't really matter what you do during a session. Foul up Puppy, be exposed to virus etc. as you can just shutdown and reboot afresh.

Im running a single core 1.5GB RAM setup, and find it flies. 3D rendering can be a little slow, especially compared to when I run on a quad core, but otherwise OK. The approach also forces you to compartmentalise, CD = op sys and GUI, HD = data. So if puppy does trash you don't have data intermixed in with the system files.

I have a 2GB HD swap partition setup, but that hardly ever seems to get used. Not sure why, but despite having 1.5GB or RAM, my 'savefile' space is shown to be 1.7GB (when you boot without a savefile, all of memory becomes your savefile space - but of course that's not saved - unless you opt to create a savefile when you logoff/shutdown (I usually just click Don't Save)).

Booting a fresh opsys/GUI and using a freshly downloaded browser to only directly go to your banks web site, and then shutting down afterwards, all run from within RAM and from a read only device - collectively (IMO) provides comfort that you've implemented a safe practice from your end of things. If that same CD can also be used to do other things (as outlined above), then so much the better.

PS : In the EXTRA sub-directory on the CD, there are also a couple of bootable ISO burner programs, one for 32 bit Windows machines, another for 64 bit Windows machines. You can open the ISO using 7-Zip or WinRar or whatever and drag the appropriate choice out to a Windows directory and then run that in order to burn the ISO to a new/blank CD/DVD.

An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.

Won't a virus saved to the cd be just as much of a problem as it would be if saved to the flash drive?

Yes, but. Each session on a multisession CD or DVD is a separate folder or directory, so malware is isolated to one of the saved sessions. Multisession Puppy can skip one or more (or all of the) saved sessions when it boots. You can then mount the DVD which contains the skipped session(s) and look in those sessions to try to find what happened.

Saving to a save file on a hard disk or flash drive overwrites whatever file(s) were changed, so there's no going back unless you've backed up the Save file. Multisession Puppy inherently provides the option to go back to a known good configuration by isolating each saved session, combining them only at boot time.

I think Ted Dog was working on somehow making USB Puppy save sessions separately in the same way as multisession Puppy does on a DVD or CD. I don't know how successful he was.

An encrypted Save file won't protect you from yourself. If you pick up a virus or some other malware from the Internet, that virus will be saved in your Save file, encrypted along with everything else. Encrypting your Save file will only protect you from someone who has physical access to the media that has the Save file in it.

In my opinion, the safest way to run Puppy is from a multisession CD or DVD. In effect, this puts your Save file on the same CD or DVD you're booting Puppy from, but not quite exactly. The differences are in your favor. The only disadvantage is that booting takes longer than from a USB flash drive.

Won't a virus saved to the cd be just as much of a problem as it would be if saved to the flash drive?

The safest way when banking is to boot from a read only LiveCD, have no read/write partitions mounted, and use the pristine Puppy opsys/desktop and a pristine browser all running in clean memory (RAM) to only go to your banks web site, no where else either before or after. Puppy is #1 when it comes to being able to do that IMO.

More generally, a good practice is to fake your browsers USER-AGENT, as otherwise that gives a potential hacker too much detail about what to specifically target (op sys, browser and version etc.).

Consider a simple virus

pupmessage hello

Firstly the hacker would need to get that command onto your PC. Which in reading this posting has already been achieved.

The trickier next stage is getting that code executed. The easiest way is to exploit a vulnerability. Very few bits of code (programs such as browser) are totally secure, most have flaws. If you know the op sys and browser being used then you can target such flaws. A common one is overrunning a buffer. A particular sequence and size of bytes that is larger than expected resulting in 'spurious' behaviour (program doing something due to encountering something that was not normally expected), which can result in some 'odd' program behaviour - but if the hacker knows how that odd thing runs they can get their virus (pupmessage hello in this case) to be executed.

A virus is likely to be more harmful or intrusive than just a pupmessage event. Once a small bit of code is run, that can invoke other events - perhaps downloading and installing something deeply into the system. The best frame of mind IMO is to consider any PC that's been used to access the internet for a while is at risk of at some time potentially having been compromised. As such a factory fresh Puppy and Browser loaded into clean RAM is obviously the more secure choice.

This web site provides a indication of what your browser might be telling each and every site that you visit https://www.whatismybrowser.com/ In my case (see attached) sites think I'm running Windows 7 using a outdated Firefox - whilst I'm actually using a Slacko LiveCD with the latest firefox (version 28 even though that web site suggests version 27 is the latest!).

In the modern world however things are reasonably secure. Possible virus sites and threats get jumped on pretty quickly. The greater risk IMO is that of a large-scale theft/vulnerability looking to be side stepped. Again whilst that risk is low if Some-Big-Bank is compromised and looses a lot of money, they might contest that their clients who were using outdated operating systems and/or browsers were at fault and as such refuse to compensate for those losses. If their records showed that you were using XP SP2 and internet explorer to regularly access your Some-Big-Bank online account, then they might say it was your own fault that a loss was endured. Your return argument could be that you were using a LiveCD of a pristine Puppy and latest browser, loaded into clean RAM and going nowhere else before or after other than to the Some-Big-Bank web site, and faking your USER-AGENT - which IMO would be a very strong counter argument (the onus would then be on the bank to prove that casual use of that particular choice of Puppy kernel or browser was the common denominator for the large-scale loss).

Firstly the hacker would need to get that command onto your PC. Which in reading this posting has already been achieved.

HOW exactly???????

What mechanism is downloading, making executable and running software without user intervention? If this was sooo easy why is it not happening every day to millions of linux users?

This is scaremongering based on windows flaky security model from the 90's where the system included software to openly allow a hacker to do just this ... not a buffer overflow in sight.

Such flaws are hypothetical and picked up before anyone even bothered to look... too much like hard work for the average spammer who will simply use readily available tools to do the job rather than wasting time on some convoluted approach.

Ok lets put it another way... make a web page or an emaill that can pass a virus onto my machine and run it... I would be happy to give it a test. A video is just a video.

Of course it probably would have to be specially crafted to attack me and useless for any other system but spammers have all the time in the world to rewrite the software they use every 2 minutes to target maybe a dozen users as exploits appear and disappear while the old ones carry on being used on millions.

Seriously, give me something to test out...I used to do it when evaluating security measures in the past.

I hope 'security' has not become a cosy bandwagon to jump on when programming becomes less lucrative or inaccesible.

If there is a REAL threat then demonstrate it in action so we can all take suitable measures.

Thread is a bit old but would like to opine. IMHO there are two things that generally improve security. The first is the "Live CD" approach on a CD-R (NOT CD-RW). Basically run it and close it as needed. One nuisance noted on frugal installs like Puppy Slacko-5.5XL (there may be others) is the AUTOMATIC wifi-on. Tsk, tsk, Tsk broadcasting "I'm Here!". Manual ON/OFF please. That brings me to point #2, a LAN connection behind "your" router is generally more secure than a wi-fi behind someone else's router (the "Middle-man Exploit" or "Sniffer's Paradise"). Especially for passwords, business transactions, logins, etc. A lot of "free wifi" spots are unencrypted for general surfing: its a tragic mistake to enter any password or conduct any business. So free doesn't really allow one to do work, just surf.

personally, though I use a netbook, I'm nearly always LAN'd. Puppies are a good first step in promoting some security, and I think the CD-R live is a very good idea. Once one gets puppy, the next best thing is using a browser that is migrating away from common-platform applications. These are JAVA and FLASH to name two. Common-Platforms allow Windows, Mac and Linux to do the same thing. Unfortuneately, there are common security risks that make Windows problems MAC and Linux problems. So if one loads a puppy with Firefox (after version 17 IIRC) one is moving away from JAVA. Perhaps in the near-future HTML5 will allow the removal of FLASH for media content.

What works for me is Puppy, FireFox, and a LAN connection, what I'd like to change is LibreOffice and JAVA to something more Linux (IIRC SoftOffice makes FreeOffice_2012). Others will find their own comfort-zone._________________ .

There's a fairly recent thread somewhere in the forum about spoofing the browser's user agent. You'll have to look for it, as I don't remember where in the forum it is. Seems like it was only a few weeks ago, but time flies when you're getting old.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum